foreman_vault 0.0.1

data/app/views/vault_connections/_form.html.erb

@@ -0,0 +1,7 @@
+<%= form_for @vault_connection, :url => (@vault_connection.new_record? ? vault_connections_path : vault_connection_path(:id => @vault_connection)) do |f| %>
+  <%= base_errors_for @vault_connection %>
+  <%= text_f f, :name, :help_inline => _("Vault Connection name") %>
+  <%= text_f f, :url, :help_inline => _("Vault Server url") %>
+  <%= text_f f, :token, :help_inline => _("Vault Connection token") %>
+  <%= submit_or_cancel f %>
+<% end %>

data/app/views/vault_connections/edit.html.erb

@@ -0,0 +1,3 @@
+<% title _("Edit %s") % @vault_connection.to_s %>
+
+<%= render :partial => 'form' %>

data/app/views/vault_connections/index.html.erb

@@ -0,0 +1,31 @@
+<% title _('Vault Connections') %>
+<% title_actions(new_link(_("Create Vault Connection"))) %>
+
+<table class="<%= table_css_classes 'table-fixed' %>">
+  <thead>
+    <tr>
+      <th class="col-md-9"><%= sort :name, :as => s_('Vault Connections|Name') %></th>
+      <th class="col-md-1"><%= _('Valid') %></th>
+      <th class="col-md-1"><%= _('Expire time') %></th>
+      <th class="col-md-1"><%= _('Actions') %></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @vault_connections.each do |vault_connection| %>
+      <tr>
+        <td class="ellipsis">
+          <%= link_to_if_authorized vault_connection.name, hash_for_edit_vault_connection_path(:id => vault_connection) %>
+        </td>
+        <td align='center'>
+          <% if vault_connection.token_valid? %>
+            <%= ('<span class="glyphicon glyphicon-ok"/>').html_safe %>
+          <% else %>
+            <%= ('<span class="glyphicon glyphicon-remove" title="%s"/>' % vault_connection.vault_error).html_safe %>
+          <% end %>
+        </td>
+        <td><%= date_time_absolute(vault_connection.expire_time) %></td>
+        <td><%= action_buttons display_delete_if_authorized hash_for_vault_connection_path(:id => vault_connection), :data => { :confirm => _("Delete %s?") % vault_connection.name } %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/app/views/vault_connections/new.html.erb

@@ -0,0 +1,3 @@
+<% title _('Create Vault Connection') %>
+
+<%= render :partial => 'form' %>

data/config/foreman_vault.yaml.example

@@ -0,0 +1,4 @@
+:foreman_vault:
+  :refresh_tokens_wait_time: 30
+  :refresh_token_retry_wait: 5
+  :refresh_token_retry_attempts: 3

data/config/routes.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+Rails.application.routes.draw do
+  resources :vault_connections, except: :show
+
+  namespace :api, defaults: { format: 'json' } do
+    scope '(:apiv)', module: :v2, defaults: { apiv: 'v2' }, apiv: /v1|v2/, constraints: ApiConstraints.new(version: 2, default: true) do
+      resources :vault_connections, only: [:index, :show, :create, :update, :destroy]
+    end
+  end
+end

data/db/migrate/20180725072913_create_vault_connection.foreman_vault.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class CreateVaultConnection < ActiveRecord::Migration[5.1]
+  def change
+    create_table :vault_connections do |t|
+      t.string :name
+      t.string :url
+      t.string :token
+      t.string :vault_status
+      t.datetime :expire_time
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20180809172407_rename_vault_status_to_vault_error.foreman_vault.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RenameVaultStatusToVaultError < ActiveRecord::Migration[5.1]
+  def change
+    rename_column :vault_connections, :vault_status, :vault_error
+  end
+end

data/lib/foreman_vault.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require 'foreman_vault/engine'
+
+module ForemanVault
+end

data/lib/foreman_vault/engine.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  class Engine < ::Rails::Engine
+    engine_name 'foreman_vault'
+
+    config.autoload_paths += Dir["#{config.root}/app/controllers"]
+    config.autoload_paths += Dir["#{config.root}/app/models"]
+    config.autoload_paths += Dir["#{config.root}/app/services"]
+    config.autoload_paths += Dir["#{config.root}/app/lib"]
+    config.autoload_paths += Dir["#{config.root}/app/jobs"]
+
+    # Add any db migrations
+    initializer 'foreman_vault.load_app_instance_data' do |app|
+      ForemanVault::Engine.paths['db/migrate'].existent.each do |path|
+        app.config.paths['db/migrate'] << path
+      end
+    end
+
+    initializer 'foreman_vault.register_plugin', before: :finisher_hook do |_app|
+      Foreman::Plugin.register :foreman_vault do
+        requires_foreman '>= 1.20'
+
+        apipie_documented_controllers ["#{ForemanVault::Engine.root}/app/controllers/api/v2/*.rb"]
+
+        # Add permissions
+        security_block :foreman_vault do
+          permission :view_vault_connections,     { vault_connections: [:index, :show],
+                                                    'api/v2/vault_connections': [:index, :show] }, resource_type: 'VaultConnection'
+          permission :create_vault_connections,   { vault_connections: [:new, :create],
+                                                    'api/v2/vault_connections': [:create] }, resource_type: 'VaultConnection'
+          permission :edit_vault_connections,     { vault_connections: [:edit, :update],
+                                                    'api/v2/vault_connections': [:update] }, resource_type: 'VaultConnection'
+          permission :destroy_vault_connections,  { vault_connections: [:destroy],
+                                                    'api/v2/vault_connections': [:destroy] }, resource_type: 'VaultConnection'
+        end
+
+        # add menu entry
+        menu :top_menu, :vault_connections, url_hash: { controller: :vault_connections, action: :index },
+                                            caption: N_('Vault Connections'),
+                                            parent: :infrastructure_menu
+      end
+    end
+
+    config.to_prepare do
+      begin
+        Foreman::Renderer::Scope::Base.include(ForemanVault::Macros)
+        Foreman::Renderer.configure { |c| c.allowed_generic_helpers += [:vault_secret] }
+      rescue StandardError => e
+        Rails.logger.warn "ForemanVault: skipping engine hook (#{e})"
+      end
+    end
+
+    initializer 'foreman_vault.register_gettext', after: :load_config_initializers do |_app|
+      locale_dir = File.join(File.expand_path('../..', __dir__), 'locale')
+      locale_domain = 'foreman_vault'
+      Foreman::Gettext::Support.add_text_domain locale_domain, locale_dir
+    end
+
+    initializer 'foreman_vault.trigger_jobs', after: :load_config_initializers do |_app|
+      ::Foreman::Application.dynflow.config.on_init do |world|
+        RefreshVaultTokens.spawn_if_missing(world)
+      end
+    end
+  end
+end

data/lib/foreman_vault/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ForemanVault
+  VERSION = '0.0.1'
+end

data/lib/tasks/foreman_vault_tasks.rake

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'rake/testtask'
+
+# Tasks
+namespace :foreman_vault do
+end
+
+# Tests
+namespace :test do
+  desc 'Test ForemanVault'
+  Rake::TestTask.new(:foreman_vault) do |t|
+    test_dir = File.join(File.dirname(__FILE__), '../..', 'test')
+    t.libs << ['test', test_dir]
+    t.pattern = "#{test_dir}/**/*_test.rb"
+    t.verbose = true
+    t.warning = false
+  end
+end
+
+namespace :foreman_vault do
+  task :rubocop do
+    begin
+      require 'rubocop/rake_task'
+      RuboCop::RakeTask.new(:rubocop_foreman_vault) do |task|
+        task.patterns = ["#{ForemanVault::Engine.root}/app/**/*.rb",
+                         "#{ForemanVault::Engine.root}/lib/**/*.rb",
+                         "#{ForemanVault::Engine.root}/test/**/*.rb"]
+      end
+    rescue StandardError
+      puts 'Rubocop not loaded.'
+    end
+
+    Rake::Task['rubocop_foreman_vault'].invoke
+  end
+end
+
+Rake::Task[:test].enhance ['test:foreman_vault']
+
+load 'tasks/jenkins.rake'
+
+Rake::Task['jenkins:unit'].enhance ['test:foreman_vault', 'foreman_vault:rubocop'] if Rake::Task.task_defined?(:'jenkins:unit')

data/locale/Makefile

@@ -0,0 +1,60 @@
+#
+# Makefile for PO merging and MO generation. More info in the README.
+#
+# make all-mo (default) - generate MO files
+# make check - check translations using translate-tool
+# make tx-update - download and merge translations from Transifex
+# make clean - clean everything
+#
+DOMAIN = foreman_vault
+VERSION = $(shell ruby -e 'require "rubygems";spec = Gem::Specification::load(Dir.glob("../*.gemspec")[0]);puts spec.version')
+POTFILE = $(DOMAIN).pot
+MOFILE = $(DOMAIN).mo
+POFILES = $(shell find . -name '$(DOMAIN).po')
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POXFILES = $(patsubst %.po,%.pox,$(POFILES))
+EDITFILES = $(patsubst %.po,%.edit.po,$(POFILES))
+
+%.mo: %.po
+	mkdir -p $(shell dirname $@)/LC_MESSAGES
+	msgfmt -o $(shell dirname $@)/LC_MESSAGES/$(MOFILE) $<
+
+# Generate MO files from PO files
+all-mo: $(MOFILES)
+
+# Check for malformed strings
+%.pox: %.po
+	msgfmt -c $<
+	pofilter --nofuzzy -t variables -t blank -t urls -t emails -t long -t newlines \
+		-t endwhitespace -t endpunc -t puncspacing -t options -t printf -t validchars --gnome $< > $@
+	cat $@
+	! grep -q msgid $@
+
+%.edit.po:
+	touch $@
+
+check: $(POXFILES)
+
+# Unify duplicate translations
+uniq-po:
+	for f in $(shell find ./ -name "*.po") ; do \
+		msguniq $$f -o $$f ; \
+	done
+
+tx-pull: $(EDITFILES)
+	tx pull -f
+	for f in $(EDITFILES) ; do \
+		sed -i 's/^\("Project-Id-Version: \).*$$/\1$(DOMAIN) $(VERSION)\\n"/' $$f; \
+	done
+
+tx-update: tx-pull
+	@echo
+	@echo Run rake plugin:gettext[$(DOMAIN)] from the Foreman installation, then make -C locale mo-files to finish
+	@echo
+
+mo-files: $(MOFILES)
+	git add $(POFILES) $(POTFILE) ../locale/*/LC_MESSAGES
+	git commit -m "i18n - pulling from tx"
+	@echo
+	@echo Changes commited!
+	@echo

data/locale/en/foreman_vault.po

@@ -0,0 +1,19 @@
+# foreman_vault
+#
+# This file is distributed under the same license as foreman_vault.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: version 0.0.1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2014-08-20 08:46+0100\n"
+"PO-Revision-Date: 2014-08-20 08:54+0100\n"
+"Last-Translator: Foreman Team <foreman-dev@googlegroups.com>\n"
+"Language-Team: Foreman Team <foreman-dev@googlegroups.com>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+

data/locale/foreman_vault.pot

@@ -0,0 +1,19 @@
+# foreman_vault
+#
+# This file is distributed under the same license as foreman_vault.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: version 0.0.1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2014-08-20 08:46+0100\n"
+"PO-Revision-Date: 2014-08-20 08:46+0100\n"
+"Last-Translator: Foreman Team <foreman-dev@googlegroups.com>\n"
+"Language-Team: Foreman Team <foreman-dev@googlegroups.com>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
+

data/locale/gemspec.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+# Matches foreman_vault.gemspec
+_('Adds support for using credentials from Hashicorp Vault')

data/test/factories/foreman_vault_factories.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :vault_connection, class: VaultConnection do
+    sequence(:name) { |n| "VaultServer-#{n}" }
+    url 'http://localhost:8200'
+    token '16aa4f29-035d-b604-f3d3-8cd9a6a6921c'
+    expire_time { Time.zone.now + 1.year }
+
+    trait :invalid do
+      expire_time nil
+    end
+
+    trait :without_callbacks do
+      after(:build) do |user|
+        class << user
+          def set_expire_time
+            true
+          end
+
+          def update_expire_time
+            true
+          end
+        end
+      end
+    end
+  end
+end

data/test/functional/api/v2/vault_connections_controller_test.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module Api
+  module V2
+    class VaultConnectionsControllerTest < ActionController::TestCase
+      setup do
+        @vault_connection = FactoryBot.create(:vault_connection, :without_callbacks)
+      end
+
+      describe '#index' do
+        test 'should get vault connections' do
+          get :index
+          response = ActiveSupport::JSON.decode(@response.body)
+          assert_response :success
+          assert response['results'].any?, 'Should respond with VaultConnections'
+        end
+      end
+
+      describe '#show' do
+        test 'should get vault connection detail' do
+          get :show, params: { id: @vault_connection.to_param }
+          assert_response :success
+          vault_connection = ActiveSupport::JSON.decode(@response.body)
+          assert_not vault_connection.empty?
+          assert_equal vault_connection['name'], @vault_connection.name
+        end
+      end
+
+      describe '#create' do
+        test 'should create valid' do
+          response = OpenStruct.new(data: { expire_time: '2018-08-01' })
+          auth_token = mock.tap { |object| object.expects(:lookup_self).returns(response) }
+          client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
+          Vault::Client.expects(:new).returns(client)
+
+          params = { name: 'valid', url: 'http://localhost:8200', token: 'token' }
+          post :create, params: { vault_connection: params }
+          assert_response :success
+        end
+
+        test 'should not create invalid' do
+          post :create
+          assert_response :unprocessable_entity
+        end
+      end
+
+      describe '#update' do
+        test 'should update valid' do
+          response = OpenStruct.new(data: { expire_time: '2018-08-01' })
+          auth_token = mock.tap { |object| object.expects(:lookup_self).returns(response) }
+          client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
+          Vault::Client.expects(:new).returns(client)
+
+          params = { name: 'New name', url: 'http://localhost:8200', token: 'token' }
+          put :update, params: { id: @vault_connection.to_param, vault_connection: params }
+          response = ActiveSupport::JSON.decode(@response.body)
+          assert_response :success
+          assert_equal params[:name], response['name']
+        end
+
+        test 'should not update invalid' do
+          params = { name: nil, url: nil, token: nil }
+          put :update, params: { id: @vault_connection.to_param, vault_connection: params }
+          assert_response :unprocessable_entity
+        end
+      end
+
+      describe '#destroy' do
+        test 'should destroy' do
+          assert VaultConnection.exists?(@vault_connection.id)
+          delete :destroy, params: { id: @vault_connection.to_param }
+          assert_response :success
+          refute VaultConnection.exists?(@vault_connection.id)
+        end
+      end
+    end
+  end
+end

data/test/jobs/refresh_vault_token_test.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+class RefreshVaultTokenTest < ActiveJob::TestCase
+  setup do
+    response = OpenStruct.new(data: { expire_time: '2018-08-09' })
+    auth_token = mock.tap { |object| object.expects(:lookup_self).returns(response) }
+    client = mock.tap { |object| object.expects(:auth_token).returns(auth_token) }
+    Vault::Client.expects(:new).returns(client)
+    @vault_connection = FactoryBot.create(:vault_connection)
+  end
+
+  test 'should refresh vault token' do
+    travel_to Time.zone.parse('2018-08-08')
+    new_expire_time = '2018-08-10'
+    auth_token = mock.tap do |object|
+      renew_self_response = OpenStruct.new(data: nil)
+      object.expects(:renew_self).once.returns(renew_self_response)
+      lookup_self_response = OpenStruct.new(data: { expire_time: new_expire_time })
+      object.expects(:lookup_self).once.returns(lookup_self_response)
+    end
+    client = mock.tap { |object| object.expects(:auth_token).twice.returns(auth_token) }
+    Vault::Client.expects(:new).once.returns(client)
+
+    perform_enqueued_jobs { RefreshVaultToken.perform_later(@vault_connection.id) }
+    assert_equal Time.zone.parse(new_expire_time), @vault_connection.reload.expire_time
+  end
+end